Hybrid
Interfaces

About Hybrid Interfaces

You can configure logical hybrid interfaces on managed devices
that allow the Firepower System to bridge traffic between virtual routers and
virtual switches. If IP traffic received on interfaces in a virtual switch is
addressed to the MAC address of an associated hybrid logical interface, the
system handles it as Layer 3 traffic and either routes or responds to the
traffic depending on the destination IP address. If the system receives any
other traffic, it handles it as Layer 2 traffic and switches it appropriately.
You cannot configure logical hybrid interfaces on an
NGIPSv
device.

Note that hybrid interfaces that are not associated with both a
virtual switch and a virtual router are not available for routing, and do not
generate or respond to traffic.

Logical Hybrid
Interfaces

You must associate a logical hybrid interface with a virtual
router and virtual switch to bridge traffic between Layer 2 and Layer 3. You
can only associate a single hybrid interface with a virtual switch. However,
you can associate multiple hybrid interfaces with a virtual router.

You can also configure the Cisco Redundancy Protocol (SFRP) on a
logical hybrid interface. SFRP allows devices to act as redundant gateways for
specified IP addresses.

Note that disabling the
ICMP Enable Responses option for hybrid interfaces
does not prevent ICMP responses in all scenarios. You can add network-based
rules to an access control policy to drop packets where the destination IP is
the hybrid interface’s IP and the protocol is ICMP.

If you have enabled the
Inspect Local Router Traffic option on the managed
device, it drops the packets before they reach the host, thereby preventing any
response.

The range of MTU values can
vary depending on the model of the managed device and the interface type.

Caution

Changing the highest MTU value among all non-management interfaces on the device restarts the Snort process when you deploy configuration changes, temporarily interrupting traffic inspection. Inspection is interrupted on all non-management interfaces, not just the interface you modified. Whether this interruption drops traffic or passes it without further inspection depends on the model of the managed device and the interface type. See Snort® Restart Traffic Behavior for more information.

Adding Logical
Hybrid Interfaces

Smart
License

Classic
License

Supported Devices

Supported Domains

Access

Any

Control

7000 & 8000 Series

Leaf
only

Admin/Network Admin

Caution

Adding a routed interface pair on 7000 or 8000 Series devices restarts the Snort process when you deploy configuration changes, temporarily interrupting traffic inspection. Whether traffic drops during this interruption or passes without further inspection depends on how the target device handles traffic. See Snort® Restart Traffic Behavior for more information.

Procedure

Step 1

Choose
Devices > Device
Management.

Step 2

Next to the device where you want to add the hybrid interface,
click the edit icon ().

In a multidomain deployment, if you are not in a leaf domain,
the system prompts you to switch.

Step 3

From the
Add drop-down menu, choose
Add Logical Interface.

Step 4

Click
Hybrid to display the hybrid interface options.

Step 5

In the
Name field, enter a name for the interface.

Step 6

From the
Virtual Router drop-down list, choose an existing
virtual router, choose
None, or choose
New to add a new virtual router.

Note

If you add a new virtual router, you must configure it on the
Device Management page after you finish setting up the hybrid interface. See
Adding Virtual Routers.

Step 7

From the
Virtual Switch drop-down list, choose an existing
virtual switch, choose
None, or choose
New to add a new virtual switch.

Note

If you add a new virtual switch, you must configure it on the
Device Management page after you finish setting up the hybrid interface. See
Adding Virtual Switches.

Step 8

Check the
Enabled check box to allow the hybrid interface to
handle traffic.

Note

If you clear the check box, the interface becomes disabled and
administratively taken down.

Step 9

In the
MTU field, enter a maximum transmission unit (MTU),
which designates the largest size packet allowed.
The range of MTU values can
vary depending on the model of the managed device and the interface type.

Caution

Changing the highest MTU value among all non-management interfaces on the device restarts the Snort process when you deploy configuration changes, temporarily interrupting traffic inspection. Inspection is interrupted on all non-management interfaces, not just the interface you modified. Whether this interruption drops traffic or passes it without further inspection depends on the model of the managed device and the interface type. See Snort® Restart Traffic Behavior for more information.

Step 10

Next to
ICMP, check the
Enable Responses check box to allow the interface to
respond to ICMP traffic such as pings and traceroute.

Step 11

Next to
IPv6 NDP, check the
Enable Router Advertisement check box to enable the
interface to broadcast router advertisements. You can only enable this option
if you added IPv6 addresses.

Step 12

To add an IP address, click
Add.

Step 13

In the
Address field, enter the IP address and subnet mask.
Note the following:

You cannot add network and broadcast addresses, or the static
MAC addresses 00:00:00:00:00:00 and FF:FF:FF:FF:FF:FF.